CWE-837
Improper Enforcement of a Single, Unique Action
The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.
CVE-2025-58135 (GCVE-0-2025-58135)
Vulnerability from cvelistv5 – Published: 2025-09-09 21:45 – Updated: 2025-09-10 19:33
VLAI
Title
Zoom Workplace Clients for Windows - Improper Action Enforcement
Summary
Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access.
Severity
5.3 (Medium)
CWE
- CWE-837 - Improper Enforcement of a Single, Unique Action
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zoom Communications, Inc | Zoom Workplace Clients for Windows |
Affected:
0 , < see references
(custom)
|
Date Public
2025-09-09 12:01
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58135",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T19:32:54.091406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T19:33:42.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Zoom Workplace Clients for Windows",
"vendor": "Zoom Communications, Inc",
"versions": [
{
"lessThan": "see references",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-09T12:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003e\n\n\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003e\n\n\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eImproper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access.\u003c/span\u003e\u003c/b\u003e\n\n\u003c/span\u003e\u003c/b\u003e\n\n\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-837",
"description": "CWE-837: Improper Enforcement of a Single, Unique Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T21:45:52.362Z",
"orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
"shortName": "Zoom"
},
"references": [
{
"url": "https://www.zoom.com/en/trust/security-bulletin/ZSB-25036"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Zoom Workplace Clients for Windows - Improper Action Enforcement",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
"assignerShortName": "Zoom",
"cveId": "CVE-2025-58135",
"datePublished": "2025-09-09T21:45:52.362Z",
"dateReserved": "2025-08-25T21:15:02.863Z",
"dateUpdated": "2025-09-10T19:33:42.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62782 (GCVE-0-2025-62782)
Vulnerability from cvelistv5 – Published: 2025-10-27 20:50 – Updated: 2025-10-28 14:33
VLAI
Title
InventoryGUI vulnerable to item duplication via Bundle items when using GuiStorageElement
Summary
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.4-SNAPSHOT.
Severity
CWE
- CWE-837 - Improper Enforcement of a Single, Unique Action
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Phoenix616/InventoryGui/securi… | x_refsource_CONFIRM |
| https://github.com/Phoenix616/InventoryGui/issues/51 | x_refsource_MISC |
| https://github.com/Phoenix616/InventoryGui/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Phoenix616 | InventoryGui |
Affected:
< 1.6.4-SNAPSHOT
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T14:32:02.773622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:33:18.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InventoryGui",
"vendor": "Phoenix616",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.4-SNAPSHOT"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.4-SNAPSHOT."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:L/SC:N/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-837",
"description": "CWE-837: Improper Enforcement of a Single, Unique Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T20:50:07.579Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-rgvh-4m82-fvjq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-rgvh-4m82-fvjq"
},
{
"name": "https://github.com/Phoenix616/InventoryGui/issues/51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Phoenix616/InventoryGui/issues/51"
},
{
"name": "https://github.com/Phoenix616/InventoryGui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Phoenix616/InventoryGui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494"
}
],
"source": {
"advisory": "GHSA-rgvh-4m82-fvjq",
"discovery": "UNKNOWN"
},
"title": "InventoryGUI vulnerable to item duplication via Bundle items when using GuiStorageElement"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62782",
"datePublished": "2025-10-27T20:50:07.579Z",
"dateReserved": "2025-10-22T18:55:48.008Z",
"dateUpdated": "2025-10-28T14:33:18.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62783 (GCVE-0-2025-62783)
Vulnerability from cvelistv5 – Published: 2025-10-27 20:54 – Updated: 2025-10-28 14:32
VLAI
Title
InventoryGui affected by item duplication in GUIs which use GuiStorageElement
Summary
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.1-SNAPSHOT and earlier contain a vulnerability where any plugin using the `GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.2-SNAPSHOT.
Severity
5 (Medium)
CWE
- CWE-837 - Improper Enforcement of a Single, Unique Action
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Phoenix616/InventoryGui/securi… | x_refsource_CONFIRM |
| https://github.com/Phoenix616/InventoryGui/issues/48 | x_refsource_MISC |
| https://github.com/Phoenix616/InventoryGui/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Phoenix616 | InventoryGui |
Affected:
< 1.6.2-SNAPSHOT
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T14:31:23.528723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:32:27.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InventoryGui",
"vendor": "Phoenix616",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.2-SNAPSHOT"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.1-SNAPSHOT and earlier contain a vulnerability where any plugin using the `GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.2-SNAPSHOT."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-837",
"description": "CWE-837: Improper Enforcement of a Single, Unique Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T20:54:36.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-598q-jw82-5w66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-598q-jw82-5w66"
},
{
"name": "https://github.com/Phoenix616/InventoryGui/issues/48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Phoenix616/InventoryGui/issues/48"
},
{
"name": "https://github.com/Phoenix616/InventoryGui/commit/27a52ef6d934a1c232e110e0010e4aa810c27029",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Phoenix616/InventoryGui/commit/27a52ef6d934a1c232e110e0010e4aa810c27029"
}
],
"source": {
"advisory": "GHSA-598q-jw82-5w66",
"discovery": "UNKNOWN"
},
"title": "InventoryGui affected by item duplication in GUIs which use GuiStorageElement"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62783",
"datePublished": "2025-10-27T20:54:36.254Z",
"dateReserved": "2025-10-22T18:55:48.008Z",
"dateUpdated": "2025-10-28T14:32:27.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62784 (GCVE-0-2025-62784)
Vulnerability from cvelistv5 – Published: 2025-10-27 20:59 – Updated: 2025-10-28 14:32
VLAI
Title
InventoryGui allows item duplication in GUIs which use GuiStorageElement
Summary
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions before 1.6.5 contain a vulnerability where any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.5.
Severity
CWE
- CWE-837 - Improper Enforcement of a Single, Unique Action
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Phoenix616/InventoryGui/securi… | x_refsource_CONFIRM |
| https://github.com/Phoenix616/InventoryGui/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Phoenix616 | InventoryGui |
Affected:
< 1.6.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62784",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T14:29:16.888344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:32:11.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InventoryGui",
"vendor": "Phoenix616",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions before 1.6.5 contain a vulnerability where any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-837",
"description": "CWE-837: Improper Enforcement of a Single, Unique Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T20:59:22.085Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-7whh-79j3-7c55",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-7whh-79j3-7c55"
},
{
"name": "https://github.com/Phoenix616/InventoryGui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Phoenix616/InventoryGui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9"
}
],
"source": {
"advisory": "GHSA-7whh-79j3-7c55",
"discovery": "UNKNOWN"
},
"title": "InventoryGui allows item duplication in GUIs which use GuiStorageElement"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62784",
"datePublished": "2025-10-27T20:59:22.085Z",
"dateReserved": "2025-10-22T18:55:48.008Z",
"dateUpdated": "2025-10-28T14:32:11.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-42609 (GCVE-0-2026-42609)
Vulnerability from cvelistv5 – Published: 2026-05-11 15:03 – Updated: 2026-05-14 17:56
VLAI
Title
Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
Summary
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.
Severity
8.1 (High)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/getgrav/grav/security/advisori… | x_refsource_CONFIRM |
| https://github.com/getgrav/grav/commit/5a12f9be83… | x_refsource_MISC |
| https://github.com/getgrav/grav/commit/c66dfeb5ff… | x_refsource_MISC |
| https://github.com/getgrav/grav/commit/d904efc33e… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42609",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T17:56:12.800871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T17:56:41.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grav",
"vendor": "getgrav",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account\u0027s metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-837",
"description": "CWE-837: Improper Enforcement of a Single, Unique Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:03:38.296Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8"
},
{
"name": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
},
{
"name": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47"
},
{
"name": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632"
}
],
"source": {
"advisory": "GHSA-rr73-568v-28f8",
"discovery": "UNKNOWN"
},
"title": "Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42609",
"datePublished": "2026-05-11T15:03:38.296Z",
"dateReserved": "2026-04-29T00:31:15.725Z",
"dateUpdated": "2026-05-14T17:56:41.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44601 (GCVE-0-2026-44601)
Vulnerability from cvelistv5 – Published: 2026-05-07 03:09 – Updated: 2026-05-07 14:58
VLAI
Summary
Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.
Severity
CWE
- CWE-837 - Improper Enforcement of a Single, Unique Action
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| torproject | Tor |
Affected:
0 , < 0.4.9.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T13:56:45.000287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:58:24.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tor",
"vendor": "torproject",
"versions": [
{
"lessThan": "0.4.9.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.4.9.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-837",
"description": "CWE-837 Improper Enforcement of a Single, Unique Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:25:19.794Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://forum.torproject.org/c/news/tor-release-announcement/28"
},
{
"url": "https://www.openwall.com/lists/oss-security/2026/05/06/8"
},
{
"url": "https://gitlab.torproject.org/tpo/core/tor/-/work_items/41237"
},
{
"url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/d4e3f6a440b58c2be661decf20c09548704907dc"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-44601",
"datePublished": "2026-05-07T03:09:51.106Z",
"dateReserved": "2026-05-07T03:09:50.703Z",
"dateUpdated": "2026-05-07T14:58:24.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.